Brief introduction to social engineering
Providing computer security is difficult (maybe even impossible), but imagine for a moment that we managed to do it. Where necessary, powerful cryptography is used, security protocols perfectly perform their functions. We have both reliable hardware and reliable software at our disposal. Even the network in which we operate is completely safe. Wonderful!
Unfortunately, this is not enough. Do something useful this wonderful system can only with the participation of users. And this interaction
man with a computer is fraught with the greatest threat of all.
People are often the weakest link in the system of security measures, and it is they who constantly cause the latter to be ineffective.
In terms of safety, the mathematical apparatus is flawless,
computers are vulnerable, networks are generally lousy, and people are just disgusting.
Bruce Schneier "Secrets and Lies. Data Security in the Digital World
Information - is one of the most important assets of the company. Information may constitute a commercial secret of the company, i.e. under existing or possible circumstances, increase revenues, avoid unnecessary costs, maintain a position in the market for goods, works, services or bring other commercial benefits to the company. Accordingly, such information must be protected.
Since people work in any company, inevitably the human factor influences all processes of the organization. Including the process of protecting confidential information.
The human factor is a stable expression, which designates a person's psychic abilities as a potential and actual source (cause) of information problems when this person uses modern technologies.
Any human actions related to security breaches can be divided into two broad categories: intentional and unintentional actions.
Intentional actions include theft of information by employees, modification of information, or its destruction (sabotage). This is an extreme case and we have to deal with it after the fact, attracting internal affairs officers.
Inadvertent actions include: loss of information carriers, destruction or distortion of information through negligence. A person does not realize that his actions lead to a violation of the regime of commercial secrets.
Similarly, inadvertent actions refer to “help” to the wrong persons, or so-called social engineering. When an employee does not realize that his actions are aimed at violating the regime of a commercial secret, but at the same time, the one who asks him to do this, clearly knows what is breaking the regime.
')
Social engineering is a method (attacks) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of the weaknesses of the human factor and is very effective. The attacker receives information, for example, by collecting information about the employees of the object of attack, using a regular phone call or by entering the organization under the guise of its employee. An attacker can call an employee of the company (under the guise of technical service) and figure out the password, citing the need to solve a small problem in a computer system. Very often this trick passes. The most powerful weapon in this case is a pleasant voice and acting ability of the attacker. The names of employees can be learned after a series of calls and studying the names of managers on the company's website and other sources of public information (reports, advertising, etc.). Using real names in a conversation with technical support, an attacker tells a fictional story that he cannot get to an important meeting on the site with his remote access account. Another tool in this method is the study of garbage containers of organizations, virtual recycle bins, theft of a laptop computer and other media. This method is used when an attacker has targeted a particular company as a victim.
All social engineering techniques are based on the characteristics of people's decision-making.
Pretexting is an action that has been worked out according to a predetermined scenario (pretext). As a result, the target (victim) must give out certain information, or perform a certain action. This type of attack is usually applied by telephone. More often, this technique involves more than just a lie, and requires some preliminary research (for example, personalization: finding out the name of the employee, his position and the name of the projects he is working on) in order to ensure the trust of the goal.
Phishing - a technique aimed at fraudulently obtaining confidential information. Typically, an attacker sends a target e-mail, forged under an official letter - from a bank or a payment system - requiring the "verification" of certain information, or the performance of certain actions. This letter usually contains a link to a fake web-page, imitating the official one, with a corporate logo and content, and containing a form that requires you to enter confidential information - from your home address to the pin code of a bank card.
Trojan horse : This technique exploits curiosity or greed of a target. The attacker sends an e-mail containing in the attachment an important update of the antivirus, or even fresh compromising evidence to the employee. This technique remains effective as long as users blindly click on any attachments.
Travel Apple : This attack method is an adaptation of a Trojan horse, and consists of using physical media. An attacker can throw an infected CD, or memory card, in a place where the media can be easily found (corridor, elevator, parking). The carrier is faked under the official, and is accompanied by a signature, designed to arouse curiosity.
Example: An attacker could throw up a CD with a corporate logo and a link to the company's official website of the target, and label it with "Wages of Q1 2010 Management Team". The drive can be left on the elevator floor, or in the lobby. An unknowing employee can pick up a disk and insert it into a computer to satisfy its curiosity.
Qui pro quo : An attacker can call a random number to the company, and introduce himself as a technical support officer, asking if there are any technical problems. In case they exist, in the process of their “solution” the goal enters commands that allow an attacker to launch malicious software.
Reverse social engineering.
The goal of reverse social engineering is to make the goal itself turn to the attacker for “help”. To this end, an attacker can use the following techniques:
Sabotage : Creating a reversible problem on the victim's computer.
Advertising : The attacker slips the victim with an ad of the form “If there are any problems with the computer, call this number” (this is more true for employees who are on a business trip or vacation).
The most basic way to protect against social engineering is learning. Because the one who is warned is armed. And ignorance, in turn, is no excuse. All company employees should be aware of the risk of information disclosure and how to prevent it.
In addition, company employees should have clear instructions on how, on what topics to talk with the interlocutor, what information they need to receive from him for accurate authentication of the interlocutor.
Here are some rules that will be helpful:
1. All user passwords are proprietary. All employees should be explained on the day of admission to work that the passwords they were given cannot be used for any other purposes, for example, for authorization on Internet sites (it is known that it is difficult for a person to keep all passwords and access codes, so he often uses the same password for different situations).
How can such vulnerabilities be used in social engineering? Suppose an employee of the company has become a victim of phishing. As a result, his password on a certain website became known to third parties. If this password is the same as that used in the company, there is a potential threat to the security of the company itself.
In principle, it is not even necessary for a company employee to fall victim to phishing. There are no guarantees that on sites where it is authorized, the required level of security is respected. So a potential threat always exists.
2. All employees should be instructed how to deal with visitors. Clear rules are needed to identify the visitor and his escort. When the visitor should always be someone from the company's employees. If an employee of the company meets a visitor wandering around the building alone, then he should have the necessary instructions to correctly determine why the visitor was in this part of the building and where his accompaniment was.
3. There should be a rule of correct disclosure of only the really necessary information by phone and during a personal conversation, as well as the procedure for checking whether the one who requests something is a valid employee of the company. It is no secret that most of the information is extracted by the attacker through direct communication with the company's employees. It is necessary to take into account the fact that in large companies employees may not know each other, so an attacker can easily pretend to be an employee who needs help.
All the measures described are quite simple, but most employees forget about these measures and about the level of responsibility assigned to them when signing non-disclosure obligations. The company spends huge financial resources to ensure information security with technical methods, but these technical means can be bypassed if employees do not take measures to counteract social engineers, and security services do not periodically check the vigilance of company personnel. Thus, funds aimed at ensuring information security will be wasted.
PS If the topic is interesting, then in the next topic I will discuss in more detail about the methods and procedures that help minimize the negative consequences associated with the methods of social engineering.
Unfortunately, this is not enough. Do something useful this wonderful system can only with the participation of users. And this interaction
man with a computer is fraught with the greatest threat of all.
People are often the weakest link in the system of security measures, and it is they who constantly cause the latter to be ineffective.
In terms of safety, the mathematical apparatus is flawless,
computers are vulnerable, networks are generally lousy, and people are just disgusting.
Bruce Schneier "Secrets and Lies. Data Security in the Digital World
Intro
Information - is one of the most important assets of the company. Information may constitute a commercial secret of the company, i.e. under existing or possible circumstances, increase revenues, avoid unnecessary costs, maintain a position in the market for goods, works, services or bring other commercial benefits to the company. Accordingly, such information must be protected.
Since people work in any company, inevitably the human factor influences all processes of the organization. Including the process of protecting confidential information.
The human factor is a stable expression, which designates a person's psychic abilities as a potential and actual source (cause) of information problems when this person uses modern technologies.
Any human actions related to security breaches can be divided into two broad categories: intentional and unintentional actions.
Intentional actions include theft of information by employees, modification of information, or its destruction (sabotage). This is an extreme case and we have to deal with it after the fact, attracting internal affairs officers.
Inadvertent actions include: loss of information carriers, destruction or distortion of information through negligence. A person does not realize that his actions lead to a violation of the regime of commercial secrets.
Similarly, inadvertent actions refer to “help” to the wrong persons, or so-called social engineering. When an employee does not realize that his actions are aimed at violating the regime of a commercial secret, but at the same time, the one who asks him to do this, clearly knows what is breaking the regime.
')
Social engineering is a method (attacks) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of the weaknesses of the human factor and is very effective. The attacker receives information, for example, by collecting information about the employees of the object of attack, using a regular phone call or by entering the organization under the guise of its employee. An attacker can call an employee of the company (under the guise of technical service) and figure out the password, citing the need to solve a small problem in a computer system. Very often this trick passes. The most powerful weapon in this case is a pleasant voice and acting ability of the attacker. The names of employees can be learned after a series of calls and studying the names of managers on the company's website and other sources of public information (reports, advertising, etc.). Using real names in a conversation with technical support, an attacker tells a fictional story that he cannot get to an important meeting on the site with his remote access account. Another tool in this method is the study of garbage containers of organizations, virtual recycle bins, theft of a laptop computer and other media. This method is used when an attacker has targeted a particular company as a victim.
Social engineering techniques
All social engineering techniques are based on the characteristics of people's decision-making.
Pretexting is an action that has been worked out according to a predetermined scenario (pretext). As a result, the target (victim) must give out certain information, or perform a certain action. This type of attack is usually applied by telephone. More often, this technique involves more than just a lie, and requires some preliminary research (for example, personalization: finding out the name of the employee, his position and the name of the projects he is working on) in order to ensure the trust of the goal.
Phishing - a technique aimed at fraudulently obtaining confidential information. Typically, an attacker sends a target e-mail, forged under an official letter - from a bank or a payment system - requiring the "verification" of certain information, or the performance of certain actions. This letter usually contains a link to a fake web-page, imitating the official one, with a corporate logo and content, and containing a form that requires you to enter confidential information - from your home address to the pin code of a bank card.
Trojan horse : This technique exploits curiosity or greed of a target. The attacker sends an e-mail containing in the attachment an important update of the antivirus, or even fresh compromising evidence to the employee. This technique remains effective as long as users blindly click on any attachments.
Travel Apple : This attack method is an adaptation of a Trojan horse, and consists of using physical media. An attacker can throw an infected CD, or memory card, in a place where the media can be easily found (corridor, elevator, parking). The carrier is faked under the official, and is accompanied by a signature, designed to arouse curiosity.
Example: An attacker could throw up a CD with a corporate logo and a link to the company's official website of the target, and label it with "Wages of Q1 2010 Management Team". The drive can be left on the elevator floor, or in the lobby. An unknowing employee can pick up a disk and insert it into a computer to satisfy its curiosity.
Qui pro quo : An attacker can call a random number to the company, and introduce himself as a technical support officer, asking if there are any technical problems. In case they exist, in the process of their “solution” the goal enters commands that allow an attacker to launch malicious software.
Reverse social engineering.
The goal of reverse social engineering is to make the goal itself turn to the attacker for “help”. To this end, an attacker can use the following techniques:
Sabotage : Creating a reversible problem on the victim's computer.
Advertising : The attacker slips the victim with an ad of the form “If there are any problems with the computer, call this number” (this is more true for employees who are on a business trip or vacation).
Countermeasures
The most basic way to protect against social engineering is learning. Because the one who is warned is armed. And ignorance, in turn, is no excuse. All company employees should be aware of the risk of information disclosure and how to prevent it.
In addition, company employees should have clear instructions on how, on what topics to talk with the interlocutor, what information they need to receive from him for accurate authentication of the interlocutor.
Here are some rules that will be helpful:
1. All user passwords are proprietary. All employees should be explained on the day of admission to work that the passwords they were given cannot be used for any other purposes, for example, for authorization on Internet sites (it is known that it is difficult for a person to keep all passwords and access codes, so he often uses the same password for different situations).
How can such vulnerabilities be used in social engineering? Suppose an employee of the company has become a victim of phishing. As a result, his password on a certain website became known to third parties. If this password is the same as that used in the company, there is a potential threat to the security of the company itself.
In principle, it is not even necessary for a company employee to fall victim to phishing. There are no guarantees that on sites where it is authorized, the required level of security is respected. So a potential threat always exists.
2. All employees should be instructed how to deal with visitors. Clear rules are needed to identify the visitor and his escort. When the visitor should always be someone from the company's employees. If an employee of the company meets a visitor wandering around the building alone, then he should have the necessary instructions to correctly determine why the visitor was in this part of the building and where his accompaniment was.
3. There should be a rule of correct disclosure of only the really necessary information by phone and during a personal conversation, as well as the procedure for checking whether the one who requests something is a valid employee of the company. It is no secret that most of the information is extracted by the attacker through direct communication with the company's employees. It is necessary to take into account the fact that in large companies employees may not know each other, so an attacker can easily pretend to be an employee who needs help.
All the measures described are quite simple, but most employees forget about these measures and about the level of responsibility assigned to them when signing non-disclosure obligations. The company spends huge financial resources to ensure information security with technical methods, but these technical means can be bypassed if employees do not take measures to counteract social engineers, and security services do not periodically check the vigilance of company personnel. Thus, funds aimed at ensuring information security will be wasted.
PS If the topic is interesting, then in the next topic I will discuss in more detail about the methods and procedures that help minimize the negative consequences associated with the methods of social engineering.
Source: https://habr.com/ru/post/83415/
All Articles